By Fasya Addina Teixeira and Christian Donny Putranto
The International Committee of the Red Cross (ICRC) and the Ministry of Foreign Affairs of the Republic of Indonesia have recently published a new report of the Asia-Pacific regional consultation on international humanitarian law (IHL) and cyber operations during armed conflict, which they jointly organized on 29-30 November 2022. This was the third of the series of regional consultations organized by the ICRC and partner States on this subject. The first two consultations have taken place in 2021 for Latin American States (organized jointly with the government of Mexico) as well as Central and Eastern European States (organized jointly with Estonian Ministry of Foreign Affairs and NATO Cooperative Cyber Defence Centre of Excellence).
The aim of the regional consultation was to facilitate a dialogue between States with a view to fostering exchange and developing common understandings on how and when IHL applies to the use of information and communication technologies (ICT) during armed conflicts.
Eleven States and six experts from the region participated and exchanged views on the application of IHL to cyber operations during armed conflict. The participating States were Australia, China, India, Indonesia, Iran, Japan, Malaysia, New Zealand, Pakistan, Singapore and Thailand. Some of these States also shared their experiences in developing a national position on the application of international law in cyberspace.
The following sections provide some highlights of the consultation.
Current reality and legal framework
This consultation initiative responds to the growing use of cyber operations in the past decade in situations of armed conflict, such as the international armed conflict in Ukraine, posing a risk of significant harm to the civilian population. Indeed, cyber operations during armed conflict have disrupted government and humanitarian services, targeted hospitals, and affected essential services for civilian populations, such as electricity.
The Asia-Pacific region is not exempted from this risk. Cyber incidents in the region – which have been conducted outside armed conflicts – have halted services at hospitals, caused major power outage and endangered medical data of millions of people. Moreover, it is noteworthy that the region reportedly faced the most cyber operations in 2022, surpassing Europe and North America. This should raise concerns for Asia-Pacific States.
In the United Nations, all States have agreed that international law applies to the use of ICT by States (here, para. 34), emphasized that ‘international humanitarian law applies only in situations of armed conflict’ and recalled that ‘these principles by no means legitimizes or encourages conflict’ (here, para. 71(f)). Maintaining peace must be at the forefront of international relations, as States have an obligation to settle their international disputes by peaceful means. Unfortunately, however, the world is witnessing the growing use of sophisticated cyber operations, including in ongoing conflicts. States ought to collectively ensure that IHL, which imposes legal constraints on the use of any means and method of warfare, including cyber operations, adequately addresses this new reality.
Affirming IHL application to cyberspace
Against this background, during the regional consultation, experts recalled some of the agreements of States in the United Nations Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (UN GGE). Experts highlighted that the UN GGE 2021 report marks the first consensus acknowledgment among UN Member States of the application of IHL to the use of ICT by States in situations of armed conflict. Experts who were personally involved in the negotiating process recalled the concerns of States that such an acknowledgment could be perceived as legitimizing or encouraging conflict; which States collectively recalled that it does not. In this respect, one expert opined that cyber operations should be treated like any other means and methods of warfare. For example, acknowledging that IHL applies to the use of missiles does not imply encouragement for their use.
Looking at published State positions on how international law applies in cyberspace, at least five Asia-Pacific States have publicly affirmed the application of IHL to cyber operations through their national positions. These are Australia, Japan, New Zealand, Pakistan and Singapore. Japan’s national position directly addresses the aforementioned concern, characterizing “the argument that [affirming IHL application] will lead to the militarization of cyberspace” as “groundless”.
In line with the multilateral discussion in the context of the United Nations, the regional consultation thus focused primarily on how IHL rules and principles apply to cyber operations during armed conflict.
Addressing how IHL applies to cyberspace
Affirming that IHL applies to cyber operations in armed conflict is an essential first step to avoid or minimise the potential human suffering that cyber operations might cause. States should thus work towards a common understanding of how IHL principles and rules apply to cyber operations, considering the challenges posed by the interconnected nature of cyberspace and its largely digital character.
The regional consultation zoomed into some of the key challenges pertaining to important notions in IHL. Specifically, experts discussed questions such as: which cyber operations amount to ‘attack’ under IHL? Does civilian data qualify as a ‘civilian object’? When would civilian cyber infrastructure qualify as a ‘military objective’? And what limits does IHL impose on digital ‘information operations’? Answering these questions is crucial to determine the extent of IHL protection afforded to civilian populations against cyber and information operations. The ICRC has offered its legal analysis on some of those issues in its 2019 position paper.
As of today, many of these questions have not yet been publicly addressed by Asia-Pacific States, with the exception of Australia, Japan, New Zealand and Pakistan, which have expressed views on the notion of “attack” in cyberspace (for an overview of their and other State positions on the subject, see here). Having a closed-door experts discussion allowed for an open exchange on these issues. During the consultation, experts presented the whole range of positions of States and other experts on these issues.
Developing national positions
The regional consultation concluded with presentations from Indonesia, Australia, New Zealand and Estonia (as a guest presenter) on their internal processes of developing national positions on the application of international law to cyber operations. One commonality identified was that this process involved various ministries or agencies, including legal and technical experts. The presenters also shared the view that publishing national positions helped to build common ground on this topic and does not risk fragmenting international law.
To sum up, the consultation provided a valuable platform for dialogue and exchange of views among States in the region regarding cyber operations during armed conflict. In the ICRC’s view, States should continue such discussions, refine their legal positions and contribute to advancing common understandings on this topic. In an interconnected world, cyber operations risk affecting States and individuals beyond the physical battlefield. Clarifying and implementing legal constraints applicable to these operations is thus not only in the interest of States affected by armed conflict but also of all other states. It can help protect civilian populations who have become increasingly reliant on cyber and other digital technologies across various facets of their lives.